Right to Delete Personal Information
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Hello, everyone and welcome Toe Lesson 3.4 as we discussed the next consumer right that exists under the C C. P. A.
The right to delete personal information,
the learning goals and objectives for less than 3.4.
First, we will review the concept of a deletion request.
What does that mean?
Goal number two.
We will review the major exceptions to a consumer's request to delete personal information.
I need to warn you ahead of time.
The exceptions under the CCP A are far greater than the GDP are or any other privacy law. To my knowledge, that exists out there.
The C C P. A. Has a lot of exceptions. We will explore them,
then number three, then meat and potatoes of less than 3.4.
We will actually review how toe execute internally. A deletion request.
The baseline rule that you need to be aware of is that the CCP A provides consumers with the right to request that a business delete any personal information about that consumer.
This was one of the main reasons by the CCP even came into existence.
The advocates, including Alastair McTaggart and Mary Stone Ross and others
We're very concerned that companies were keeping personal information about consumers into perpetuity and that there was no mechanism to delete personal information after it was collected.
This right here is one of the main reasons why the CCP a even exists in the first place.
Now there are some exceptions to this golden rule, but the burden needs to be established by the business I, your employer, that an exception to a deletion request even exists in the first place.
If you ever received a deletion request at work, my recommendation to you is to take out a piece of paper right on that note with the words, Yes,
there needs to be really good reason for, you know, later in time, rip that paper in half because the burden truly does fall on your company to establish that a delicious exception exists.
assuming it does,
let's jump into it.
There are seven major exceptions to a deletion request
in the e commerce space. I'm starting at the top of the screen.
In order to fulfill a transaction, companies generally need to hold on to the personal information of consumers, things like shipping credit card information. Sometimes they need to hold on to previous purchase history just in order to fulfill the request.
The Legislature understood that at the time the law was passed. And for that reason, fulfilling a transaction is one of the reasons why a company can refuse to delete consumer information.
For those of you who work in the information security space, the next three items on the right side of your screen, protecting against malicious activity, detecting security incidents or even performing system maintenance and debugging
Those are all reasons why you can refuse to delete consumer information.
The Legislature again understood that it was difficult to protect a network if at times you must delete log information or other types of personal information that might help you in addressing some sort of security incident.
That is a major exception to keep an eye on. And if you work in I T. That's going to be up to you to raise your hand and say
I believe that a deletion exception might apply here
on the left side of your screen. These scenarios are ah, a little less likely, but if you happen to work in the media space, the CCP, a does create a deletion exception
if individuals are in the process of exercising their free speech.
Basically, the idea here is that the Internet today is the primary form upon which individuals discuss in political conversations.
And if consumers were able to delete pieces of information, then that would greatly endanger the ability for the First Amendment to work efficiently.
That's why that exception exists
legal obligations and warrants.
Nine times out of 10. That's going to be your legal department, simply sending you a quick memo or an email saying, Here are the individuals of whom you cannot delete their personal information. It's called a legal hold.
You'll likely just get a notice via email or something like that.
This one is actually very hot right now.
Peer reviewed scientific research
say, for instance, you were to volunteer to be a member of the clinical trials that are taking place to help develop a vaccine for Cove in 19.
You cannot later in time request that your personal information be deleted.
Because that would throw off the results of the scientific research that's taking place.
Those seven deletion exceptions on paper. You need to keep an eye on
there are two additional exception requests that you can also use if needed.
Let's start on the left side of the screen.
You can also refuse to delete consumer information if the internal use is reasonably aligned with the expectation of the consumer based upon the relationship that the consumer has with the business,
let me pause there and actually jump quickly over to the right side. And then I'll explain both at the same time.
Your business. Your company can also use personal information internally in a lawful manner that's compatible with the context in which the consumer provided the information in the first place.
This is very troublesome for a lot of privacy advocates.
In fact, at the time that the C C. P. A. Was being negotiated in Sacramento, one of the Legislature's screamed out loud The quote I have here,
you could drive a train through that, and it's true. This is a major exception.
Long story short. If you are using personal information in a way that the consumer could expect you to use that information,
then okay, you can actually refuse to delete the personal information.
If you are using that information to conduct high level marketing to establish a Siris of inferences based on consumer behavior,
things like that
that normally is not reasonably aligned with the consumer's expectations,
and you would be advised against using this expectation.
By the way, that's a good point. I would strongly recommend you seek outside assistance before deciding that one of these exceptions applies.
Those are the delusion Exceptions
Now let me quickly discuss an important piece of this year.
Deletion requests need to be pushed down to your third party,
all your service providers as well as any other company that your organization is aligned with,
so it could be a joint venture. It could be a parent company where there's other sister companies that all work together and maybe used this same server or same infrastructure on the back end. They also need to receive the deletion request as well.
They might not get it Initially,
it is up to you to push that down and share that information is going to be deleted.
If you only delete personal information that is housed on your network, you are not fulfilling a deletion request.
You do need to go into salesforce and delete it you do need to go into your cloud environment and delete it.
I recommend you double check what's called your data processing agreements. DPS
Normally, that's driven by a privacy office or legal department. But service providers are familiar with these requests, and they should be deleting them, deleting the personal information when they receive a request,
keep an eye on your DPS and ensure that third parties are in fact receiving a request for information to be deleted.
In summary, we've discussed the definition of a deletion request.
It's different than the right to be for gotten or the right to a razor that exists under the GDP are.
Why is that?
Because of all the deletion exceptions, there are farm or than the GDP are, and we will discuss some more of that in module nine.
We also discussed the importance of pushing down deletion requests to your service providers and any other joint ventures or other sister companies that use the same infrastructure on the back end
that catches everything for less than 3.4.
I will see you in the next lesson.
Right to Opt-Out of Sale
Need to Inform
Deceptive Trade Practices – What are They?